Exploring The IoT Attack Surface

Jeff Pollard

Merritt Maxim and I just published our research on the IoT Attack Surface. This report gives a realistic, but not sensationalized, view of how enterprises need to think about IoT. Three factors motivated our research for this topic - attacks on IoT will transcend the digital-physical divide, the sheer scale of IoT will challenge security teams, and IoT devices collect massive amounts of data.

The following methodology allowed us to hone in on concrete enterprise scenarios:

  • We went for offense first. We started by interviewing prominent security researchers that spend their days thinking about how to attack IoT devices and systems. Our outside in approach allowed us to develop a threat model for intrusions, as well as identify weak points in the defenses of IoT makers, users, and operators.
  • We explored the ramifications of an attack. We wanted to understand what an attacker would - or could - do when successful. We also wanted to understand the amount of friction that existed for whatever came next - credential harvesting, persistence, or disrupting operations.
  • We examined existing security practices to understand what works, and what doesn't when defending IoT devices. This step highlighted that while IoT is different, defending IoT looks similar to other security problems S&R pros have dealt with. You can bring security lessons forward and apply them to IoT without having to learn them all over again.
Read more

Introducing The Forrester Wave™: Digital Risk Monitoring, Q3 2016

Nick Hayes

We recently published our Forrester Wave™: Digital Risk Monitoring, Q3 2016 report. We evaluate nine of the top vendors in this emerging market that offer solutions to continuously monitor “digital” -- i.e., social, mobile, web, and dark web -- channels to detect, prevent, and mitigate any type of risk event posing a threat to organizations today.


Why now

It’s almost 2017 and yet companies are more exposed and less equipped to handle the slew of risks that run rampant across countless digital channels today. Digital risk monitoring (DRM) solutions are increasingly valuable for organizations because:

  • Digital channels are now ground zero for cyber, brand, and even physical attacks. Cybercriminals use a variety of tactics to weaponize social media, impersonate or embed malware into mobile apps, deface websites, collude in dark channels, and cause financial, reputational, or physical harm. Digital risk monitoring tools combat these methods by deploying a variety of data-gathering and advanced risk analysis techniques. They aggregate data via open-source intelligence (OSINT), technical intelligence (TECHINT), human intelligence (HUMINT), and even covert human intelligence (CHIS). Then they analyze the collected data with data classifiers, machine learning, and risk scoring algorithms to determine the most likely and most threatening risk events in a quick and efficient manner.
Read more

S&R Analyst Spotlight: Josh Zelonis

Stephanie Balaouras

Based on the West Coast, Senior Analyst Josh Zelonis is the newest addition to the S&R team. When he’s not out cruising his Harley, Josh is working with clients to adapt their architecture, policies, and processes to evolving threats and to develop robust incident response programs. His research focuses on threat intelligence, endpoint detection and response (EDR), malware analysis, pen testing/red teaming, forensics and investigations, and of course, incident response.

Josh Zelonis Image

Prior to joining Forrester, Josh accumulated over 13 years of experience as a security practitioner with demonstrated success in product architecture, engineering, and security assessment roles. As a product architect, Josh helped design and build innovative technologies in the breach detection space, architecting both endpoint and appliance products with a focus on data collection and analytics. His background also includes extensive experience in security assessment roles including red team, vulnerability research, and compliance.

Listen to Josh’s conversation with me to hear about his biggest surprises since starting as a Forrester analyst, his most frequent client inquiries, and the topics he's excited to research in the coming year:

To download the MP3 version of the podcast, click here.

What do you foresee as the biggest threat to security and privacy in the United States in the next ten years?

Read more

Ping Identity Acquires UnboundID

Merritt Maxim

Yesterday, Ping Identity announced it has acquired Austin, Texas-based UnboundID. Although the financial terms were not disclosed, Forrester estimates the purchase price in the $50M-$75M range, based on typical M&A SaaS revenue multiples of 6X to 8X and Forrester’s estimation of UnboundID’s annual revenue.

This acquisition is not particularly surprising, as UnboundID and Ping have had a healthy reseller relationship since April 2015, so the purchase merely consummates the existing relationship. It also demonstrates how reselling relationships can help software vendors validate how they complement each other and set the stage for a complete acquisition.

For me, there are three key takeaways from the Ping Identity/UnboundID merger:

1.       Customer identity and access management (CIAM) demand is strong and growing. UnboundID’s focus on customer IAM complements Ping’s existing strengths in enterprise IAM and provides further evidence of the strong demand from today’s digital businesses to build compelling, identity-centric digital customer experiences. Forrester has seen a steady increase in the number of CIAM-related inquiries from enterprise clients looking to provide a holistic, omnichannel customer experience that doesn’t compromise on security or privacy. The Ping/UnboundID combination is now positioned to meet that growing demand.

Read more

Cybersecurity Takes Center Stage In US Presidential Election

Stephanie Balaouras
Last week, WikiLeaks posted a treasure trove of internal emails from the Democratic National Committee (DNC). The leaked emails demonstrated a clear bias within the DNC against Bernie Sanders and for Hillary Clinton, when the organization claimed to be neutral. The incident:
  • Confirms two of our 2016 cybersecurity predictions:
    • In 2015, we predicted that cybersecurity would become a major issue in the 2016 US presidential election. Not only have candidates discussed cybersecurity issues such as encryption throughout the debates, with the DNC email leak, cybersecurity itself is taking center stage in the election and influencing events. It is worth noting that hacking during election season is not purely a US-related issue. The entire voter registration database of the Philippines, which included fingerprint data, was hacked this spring.
    • We also predicted that an executive would need to step down due to a cybersecurity breach. As the result of the embarrassing emails, the DNC chairwoman, Debbie Wasserman Schultz, has announced her resignation at the end of the DNC convention.
Read more

Cisco buys Cloud Security Gateway vendor CloudLock for $293M

Andras Cser

Given Symantec's recent acquisiton of BlueCoat (and with it BlueCoat's earlier acquired Elastica and Perspecsys cloud security gateway (CSG) assets), and IBM's organic buildout of its Cloud Security Enforcer CSG solution it comes hardly as a surprise that Cisco today announced its intent to acquire CloudLock for US$293M (in Forrester's estimation this purchase price represents at least 10-15x of CloudLock's current revenues).  Considering that CloudLock's DNA and pedigree  is mainly in cloud data governance and data leak prevention using API based connectivity to SaaS (and lately IaaS) apps without an own gateway solution, Forrester expects that Cisco will do the following with CloudLock:

1) Integrate CloudLock's CSG offering with its own Ironport Secure Web Gateway (SWG) offering for interception of on-prem to cloud traffic,

2) invest in improving machine learning and behavioral analytics (already there in CloudLock's CSG solution),

3) improve data protection and cloud encryption in the solution, 

4) use its distribution channels to penetrate the lucrative and fast-growing (Forrester's estimate: 20%-25% y/y global growth) CSG market,

5) start an acquisition of wave in which other large SWG vendors will follow suit and acquire smaller CSG vendors.

Forrester’s Security & Risk Research Spotlight - Governance, Risk And Compliance

Stephanie Balaouras

Crises don’t discriminate. Whether they are economic, geopolitical, technological or environmental, you can expect to have to deal with a major one soon. And how well you minimize the impact of that crisis is the difference between achieving your business objectives, and completely missing them, disappointing your customers, employees, partners, and shareholders in the process. Lucky for you (if you believe in luck and not the probability of chance events), Forrester’s risk experts have updated The Governance, Risk, And Compliance Playbook For 2016. I also recently finished a series of reports on the state of business continuity (which I have creatively named part 1, part 2, and part 3) to give you a jump start on your GRC efforts. Below, I’ve highlighted some of our most recent and exciting GRC research:

Read more

Security and risk professionals: Team up with your marketing peers to design your customers' privacy experiences

Enza Iannopollo

The battle over ad blockers has never been fiercer: Their popularity with consumers is skyrocketing across the globe. Ad blockers offer a better online experience and have become easier to use. But consumers like them as a way to protect their privacy and their data from being misused. Firms increasingly think that their best bet is to block the blockers. But a recent study has shown that this strategy is just a losing game, as it has contributed to the deep decline in traffic figures. And the problem doesn’t end there; the EU recently made its voice heard by saying that blocking ad blockers is a practice that breaches EU privacy rules.

But what about your customers? If you use ad blockers, just think of the last time you wanted to check out an article online but were asked to uninstall your ad blocker first or, possibly worse, to fill in your details to “freely” enjoy your read.

Security, risk, and privacy professionals must be mindful that the privacy practices that they design and enforce have a direct effect on the customer’s interaction with their firms. As much as they think about compliance, they must consider the privacy experience of their customers too. And this is one of the examples where the collaboration with marketing leaders, including customer experience, customer insight, and the marketing leadership, becomes extremely important.

Read more

Facebook, LinkedIn, Twitter: The New Cyberweapons Of Choice

Nick Hayes

New social media scams and marketing #fails are common fodder for water cooler banter today – even a recent episode of HBO’s Veep ran a joke where the President blames a Chinese cyberattack for sending an ill-advised tweet.

But social media cybersecurity issues are far from a laughing matter, and it’s time we all take notice. Our new report Four Ways Cybercriminals Exploit Social Media proves this.

Poor social media security practices put you, your brand, your customers, your executives, and your entire organization at serious risk. According to Cisco, Facebook scams were the most common form of malware distributed in 2015, and in its most recent annual internet crime report, the FBI highlighted that social media-related events had quadrupled over the past five years. Social media is also increasingly an effective tool for terrorist groups like ISIS, even as Twitter and other social networks work around the clock to remove associated accounts.

Read more

Could Your Next Security Analyst Be A Computer?

Joseph Blankenship

Cybersecurity requires a specialized skillset and a lot of manual work. We depend on the knowledge of our security analysts to recognize and stop threats. To do their work, they need information. Some of that information can be found internally in device logs, network metadata or scan results. Analysts may also look outside the organization at threat intelligence feeds, security blogs, social media sites, threat reports and other resources for information.

This takes a lot of time.

Security analysts are expensive resources. In many organizations, they are overwhelmed with work. Alerts are triaged, so that only the most serious get worked. Many alerts don’t get worked at all. That means that some security incidents are never investigated, leaving gaps in threat detection.

This is not new information for security pros. They get reminded of this every time they read an industry news article, attend a security conference or listen to a vendor presentation. We know there are not enough trained security professionals available to fill the open positions.

Since the start of the Industrial Revolution, we have strived to find technical answers to our labor problems. Much manual labor was replaced with machines, making production faster and more efficient.

Advances in artificial intelligence and robotics are now making it possible for humans and machines to work side-by-side. This is happening now on factory floors all over the world. Now, it’s coming to a new production facility, the security operations center (SOC).

Today, IBM announced a new initiative to use their cognitive computing technology, Watson, for cybersecurity. Watson for Cyber Security promises to give security analysts a new resource for detecting, investigating and responding to security threats.

Read more